Re: [lvs-users] IPVSadm and passive FTP bug on CentOS 7/Debian 8, works

To:	Mischa Verheul <mischa.verheul@xxxxxxxxxx>
Subject:	Re: [lvs-users] IPVSadm and passive FTP bug on CentOS 7/Debian 8, works fine on CentOS 5
Cc:	lvs-users@xxxxxxxxxxxxxxxxxxxxxx
From:	Julian Anastasov <ja@xxxxxx>
Date:	Mon, 5 Dec 2016 10:46:08 +0200 (EET)

        Hello,

On Fri, 2 Dec 2016, Mischa Verheul wrote:

> Hello,
> 
> I'm trying to set up an IPVS NAT loadbalance solution with failover through
> keepalived and sync through "ipvsadm --start-daemon" on CentOS 7.
> Protocols such as HTTP work as expected, but FTP in passive mode isn't
> working for the FTP-data connection. It stops after issueing a list or get
> command.
> 
> After I couldn't find out what was possibly wrong with my configuration
> after following documentation, I set up two basic IPVS setups for
> trial&error:
> Client        ->        IPVSmachine        ->        FTPserver
> 192.168.2.6        2.100/157.254            192.168.157.10/GW
> 192.168.157.254
> 
> CentOS 5: uname -r 2.6.18-398.el5
> CentOS 7: uname -r 3.10.0-327.36.3.el7.x86_64
> 
> Configuration on both IPVS machines is identical:
> ipvsadm -A -t 192.168.2.100:21 -s rr
> ipvsadm -a -t 192.168.2.100:21 -r 192.168.157.10:21 -m
> net.ipv4.ip_forward=1
> modprobe ip_vs_ftp
> no iptables rules
> 
> [root@cent5 ~]# lsmod | grep -i ftp
> Module                  Size  Used by
> ip_vs_ftp              39109  1
> ip_vs                 122241  5 ip_vs_ftp,ip_vs_rr
> 
> 
> [root@cent7 ~]# lsmod | grep -i ftp
> Module                  Size  Used by
> ip_vs_ftp              13079  0
> nf_nat                 26146  1 ip_vs_ftp
> ip_vs                 140944  5 ip_vs_rr,ip_vs_ftp

        For the new kernels more modules are needed:

# 2.6.22+
modprobe nf_conntrack_ftp
modprobe nf_nat_ftp

# For ip_vs_ftp (NAT mode) to properly adjust TCP SEQ numbers:
echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
# or
echo 1 > /proc/sys/net/netfilter/nf_conntrack_tcp_be_liberal

# 2.6.36+, ip_vs_ftp (NAT mode) to properly adjust TCP SEQ numbers:
modprobe iptables_nat

        You can find more info (a bit outdated, up to 2.6.36) in
HOWTO.txt here:

http://ja.ssi.bg/nfct/

        i.e. you can check the example with iptables rules
in case you have some filtering applied.

Regards

--
Julian Anastasov <ja@xxxxxx>

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

<Prev in Thread]	Current Thread	[Next in Thread>
[lvs-users] IPVSadm and passive FTP bug on CentOS 7/Debian 8, works fine on CentOS 5, Mischa Verheul Re: [lvs-users] IPVSadm and passive FTP bug on CentOS 7/Debian 8, works fine on CentOS 5, Julian Anastasov <=

Previous by Date:	[lvs-users] IPVSadm and passive FTP bug on CentOS 7/Debian 8, works fine on CentOS 5, Mischa Verheul
Next by Date:	[lvs-users] ipvs udp forwarding problem, Zetan Drableg
Previous by Thread:	[lvs-users] IPVSadm and passive FTP bug on CentOS 7/Debian 8, works fine on CentOS 5, Mischa Verheul
Next by Thread:	[lvs-users] ipvs udp forwarding problem, Zetan Drableg
Indexes:	[Date] [Thread] [Top] [All Lists]